Configuring a reverse proxy point of contact server
Configuring a SAML 2.0 or OpenID Connect federation requires that you set up a reverse proxy instance as the point of contact.
Before you begin
You can use these instructions to configure a reverse proxy instance, or you can use the Web services REST APIs. The
REST API topic is located in Web > Manage > Reverse Proxy > Federation Configuration.
Note: If you use the Web services REST APIs to configure a reverse proxy instance,
ensure that the junction name is /isam.
About this task
The reverse proxy instance that you use authenticates users at the identity provider and protects services at the service provider. You must have a reverse proxy instance for both the service provider and the identity provider.
See Reverse proxy instance management for more information.
Procedure
- Import the federation runtime SSL certificate into the reverse proxy trusted signer certificates keystore. Use the local management interface to import the certificate. See Managing SSL certificates.
-
Using the pdamin command, create the /isam junction to
the federated runtime. Substitute the values of your runtime in the following command:
server task hostname-webseal-instanceName create -t ssl -c all -s -b ignore -j -e utf8_uri -J inhead -r -q /sps/cgi-bin/query_contents -f -h runtimeHostname -p runtimePort /isam -
Update the reverse proxy configuration file by using the local management interface:
- Click Web > Manage > Reverse Proxy.
- Select the reverse proxy instance to update, and click Manage > Configuration > Edit Configuration File.
-
Edit the configuration file with the following stanzas and entries, depending on the federation
protocol:
- SAML 2.0
-
[ba]: ba-auth = none [forms]: forms-auth = https [authentication-levels]: level = ext-auth-interface [eai]: eai-auth = https retain-eai-session = yes eai-verify-user-identity = no eai-redir-url-priority = yes [eai-trigger-urls]: trigger = /isam/sps/auth* trigger = /isam/sps/federation_name/saml20/soap* trigger = /isam/sps/federation_name/saml20/slo* trigger = /isam/sps/federation_name/saml20/login* [session]: user-session-ids = yes - Legacy OpenID Connect
-
[ba]: ba-auth = none [forms]: forms-auth = https [junction:/isam]: reset-cookies-list = *JSESSIONID*,*WAS* (RP ONLY) [authentication-levels]: level = ext-auth-interface (RP ONLY) [eai]: eai-auth = https eai-redir-url-priority = yes (RP ONLY) [eai-trigger-urls]: trigger = /isam/sps/oidc/client/federation_providerID* - OpenID Connect Relying Party
-
[ba]: ba-auth = none [forms]: forms-auth = https [junction:/isam]: reset-cookies-list = *JSESSIONID*,*WAS* [authentication-levels]: level = ext-auth-interface [eai]: eai-auth = https eai-redir-url-priority = yes [eai-trigger-urls]: trigger = /isam/sps/oidc/rp/fedname/redirect/*
-
Using the pdadmin command, define the
nobody,anyauth, andunauthACLs. Note that the WebSEAL user should be used for default-webseald/isam-op.acl create fedname-nobody acl modify fedname-nobody set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-nobody set user sec_master TcmdbsvaBRrxl acl modify fedname-nobody set group iv-admin TcmdbsvaBRrxl acl modify fedname-nobody set group webseal-servers Tgmdbsrxl acl modify fedname-nobody set any-other T acl modify fedname-nobody set unauthenticated T acl create fedname-anyauth acl modify fedname-anyauth set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-anyauth set user sec_master TcmdbsvaBRrxl acl modify fedname-anyauth set group iv-admin TcmdbsvaBRrxl acl modify fedname-anyauth set group webseal-servers Tgmdbsrxl acl modify fedname-anyauth set any-other Tr acl modify fedname-anyauth set unauthenticated T acl create fedname-unauth acl modify fedname-unauth set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-unauth set user sec_master TcmdbsvaBRrxl acl modify fedname-unauth set group iv-admin TcmdbsvaBRrxl acl modify fedname-unauth set group webseal-servers Tgmdbsrxl acl modify fedname-unauth set any-other Tr acl modify fedname-unauth set unauthenticated Tr -
Using the pdadmin command, create the ACLs on the policy server, and attach
them to the relevant endpoints.
- SAML 2.0
-
fedname-nobody: /WebSEAL/hostname-webseal/isam fedname-unauth: /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/login /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/sloinitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/mnids /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/logininitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/slo /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/soap fedname-anyauth: /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/mnidsinitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/auth /WebSEAL/hostname-webseal/isam/sps/wssoi /WebSEAL/hostname-webseal/isam/sps/auth - Legacy OpenID Connect
-
fedname-nobody: /WebSEAL/hostname-instance/isam fedname-unauth: /WebSEAL/hostname-instance/isam/sps/static /WebSEAL/hostname-instance/isam/sps/fedname/oidc/auth /WebSEAL/hostname-instance/isam/oidc/scripts /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/token /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/introspect /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/authorize (RP Only) /WebSEAL/hostname-instance/isam/sps/oidc/client/fedname (RP Only) /WebSEAL/hostname-instance/isam/oidcclient/redirect fedname-anyauth /WebSEAL/hostname-instance/isam/sps/auth - OpenID Connect Relying Party
-
fedname-unauth: /WebSEAL/hostname-instance/isam/sps/oidc/rp/fedname/kickoff /WebSEAL/hostname-instance/isam/sps/oidc/rp/fedname/redirect
-
Using the pdamin command, add the HTTP-Tag-Value
attribute to the /isam junction object to propagate the
user_session_id to the federation runtime:
- If
force-tag-value-prefix = yes:object modify /WebSEAL/hostname-default/isam set attribute HTTP-Tag-Value user_session_id=USER-SESSION-ID - If
force-tag-value-prefix = no:object modify /WebSEAL/hostname-default/isam set attribute HTTP-Tag-Value tagvalue_user_session_id=USER-SESSION-ID
- If